On June 4th, 2021, the European Commission adopted and published a new set of so-called standard contractual clauses (“SCCs”) providing a legal basis for international transfers of personal data from the EU/EEA to third countries. These SCCs are a long-anticipated update to the standard contractual clauses (one set from 2004 and 2001, and another from 2010), adopted under the EU Data Protection Directive 95/46/EC, which have in practice been the dominant means to enable international transfers of personal data. The new SCCs incorporate the requirements of the EU General Data Protection Regulation (“GDPR”) and take into account the July 2020 judgment of the Court of Justice of the European Union (“CJEU”) in Schrems II.
Unlike the previous documents, the new SCCs aim to cover four transfer scenarios in one document, namely:
- Controllers in the EU/EEA transferring personal data to controllers outside the EU/EEA;
- Controllers in the EU/EEA transferring personal data to processors outside the EU/EEA;
- Processors in the EU/EEA transferring personal data to (sub-)processors outside the EU/EEA;
- Processors in the EU/EEA transferring personal data to controllers outside the EU/EEA.
The new SCCs will enter into force 20 days after publication in the Official Journal of the European Union. The old SCC implementing decision will be repealed three months after that date, so data exporters implementing new arrangements must only use the new SCCs three months after publication at the latest. Data exporters relying on (signed) old SCCs may continue reliance for an additional 15 months (a total of 18 months from publication in the Official Journal) as long as the processing operations remain unchanged.
While the SCCs contain numerous new elements worth diving into, we outline a few primary ones below:
- Like the current SCCs, the new SCCs will only achieve the goal of providing a legal basis for international transfers of personal data if there are no modifications of their text, Clause 2(a).
- A substantial number of provisions of the SCCs can be invoked and enforced by the data subjects as third party beneficiaries, Clause 3.
- The SCCs require that the governing law is the law of an EU member state (Clause 17), and that disputes are resolved in the courts of an EU member state (Clause 18). Clause 12 contains mandatory liability and indemnification language.
- There is also a new “docking” clause (Clause 7), allowing for an entity that is not (yet) a party to the SCCs to accede to the clauses as either a data exporter or importer. This new mechanism will be particularly useful in the context of acquisitions, additional corporate entities, and sub-processors.
- Clause 14 deals with local laws and practices affecting compliance with the SCCs, and requires a detailed assessment and documentation of the laws in the country of the data importer. For US companies acting as data importers, Clause 14, Footnote 12 will be particularly important. In Footnote 12, the SCCs state that “different elements may be considered as part of the overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame.” Footnote 12 goes on to explain that where such practical experiences are considered, it must be supported “by other relevant, objective elements” that must be evaluated for reliability and representativeness. This approach is different from the European Data Protection Board (“EDPB”) recommendation regarding the draft of the SCCs.
- If a data importer has reason to believe that it will not be able to comply with the SCCs, it must inform the data exporter. The data exporter then must identify appropriate measures to address the situation. If such appropriate safeguards cannot be put in place, the data exporter should suspend transfers. Additionally, if the data importer receives a “legally binding request” from a public authority for disclosure of transferred personal data, it must inform the data exporter and data subject where possible. Aggregate information should also be provided periodically to the data exporter.
- There is not yet a complete picture as to whether implementing the SCCs alone will be sufficient to achieve a sufficiently robust legal basis for international transfers. Like the old SCCs, the new SCCs are “considered to provide appropriate safeguards” for the transfer of personal data from data exporters subject to the GDPR to data importers not subject to the GDPR, Article 46(1) GDPR. In Schrems II, the CJEU had ruled that controllers and processors, when using SCCs, may have to implement additional safeguards to ensure adequate protection of personal data transferred pursuant to SCCs, because Article 46 GDPR also requires that “enforceable data subject rights and effective legal remedies are available.” In Clause 2(a) of the SCCs, the European Commission states that the SCCs set out “appropriate safeguards, including enforceable data subject rights and effective legal remedies,” so there may be arguments that no supplemental measures are needed beyond what the SCCs already require. With this background, the update of the EDPB’s “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data,” which may be finalized as soon as June 18th, 2021, will be of particular interest.
Along with the SCCs, the European Commission also released standard contractual clauses under Article 28 GDPR for controllers and processors within the EU/EEA (essentially a template data processing agreement).
The United Kingdom Information Commissioner’s Office announced in May 2021 that it is working on a bespoke set of standard contractual clauses for use in the context of transfers out of the United Kingdom.
The new SCCs require more detailed assessment and documentation obligations for international transfers of personal data. Companies should therefore soon start taking stock of their existing standard contractual clauses with a view to transitioning to the new SCCs within the 18-month deadline.
Additionally, for data importers in the United States, it will be important to continue paying close attention to the possible development of a successor to the EU-US Privacy Shield.